A credit card skimming campaign recently observed that steals payment card details from compromised websites.
MageCart is the name given to numerous cybercriminal groups that embed digital skimmers on compromised e-commerce sites. The group made global headlines for a series of high-profile breaches on Ticketmaster, British Airways, and Newegg. These groups are still active and continue to target online stores to steal payment card details from unaware customers.
<C&C >/src/<compromised website>.js <C&C>/js/<compromised website>.js <C&C>/assets/<compromised website>.js
To check that the current page is the payment page, it searches for the keywords onepage, checkout, onestep, and firecheckout in the URL address. Once it is on the correct page, it intercepts the following details after an unaware customer fills in the fields:
Without knowing the replaced characters, it would be difficult to decode back the original information.
Inspecting the C&C with the IP address 178.33.231[.]184 revealed other domains it is hosting. As expected, these domain names attempts to imitate legitimate e-commerce websites related to different services and products (e.g. food, fitness, espresso, etc.). This makes it more difficult to spot something suspicious during static analysis.
Exposure of sensitive information
Indicators of Compromise
IP(s) / Hostname(s)
Malware Hash (MD5/SHA1/SH256)
Block threat indicators at your respective controls.